Roundcube Webmail - Remote Code Execution

Short Info

Level

Critical

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

16 days 15 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

References:

https://nvd.nist.gov/vuln/detail/CVE-2025-49113
https://fearsoff.org/research/roundcube
https://github.com/advisories/GHSA-8j8w-wwqc-x596
http://www.openwall.com/lists/oss-security/2025/06/02/3
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695
https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

Get started to protecting your digital assets

Start trial See the plans

Roundcube Webmail - Remote Code Execution

Short Info

-

Detail

Category